Security Explained: Regression Testing
23 September 2021
When it comes to securing your application and your users against malicious actors, penetration testing is the way to go. And once it’s done, it’s done. Right?
Unfortunately, this is a common attitude. There’s an element after penetration testing, regardless of which type of testing you choose, that we see often forgotten or neglected. And that’s regression testing.
What is Regression Testing?
Regression testing is simply a quick and thorough check of your system after patching is finished. The typical routine of cybersecurity is penetration testing and then patching any vulnerabilities discovered.
Once the patching is finished, it’s important for regression testing to be conducted. There are no new tests, only a recheck of what was discovered in the original penetration test. Often only a day, the test involves reproducing every vulnerability to ensure that they have been fixed. When we conduct penetration testing, we want to ensure that you’re secure. That the vulnerabilities were patched and secured to the best practice security standards. Without regression testing, we can’t verify that you’re secure.
It’s an often-forgotten step, but it’s crucial. This is the final check, the last opportunity for peace of mind. Confirming that both testing and patching was successful and effective.
How is it different to penetration testing?
It’s not so much that it’s different. More that it’s the next step in the process. Instead of conducting reconnaissance for vulnerabilities, injection points, and attack vectors, our team just revisit what was discovered.
We build on top of the initial test and validate that the discovered vulnerabilities have been patched and sealed up. This is why the test typically only takes a day, two in the case of a huge number of vulnerabilities. Because we’re checking what we’ve already found and reproducing them, it’s not another iteration of penetration testing.
Why should you consider it?
Neglecting regression testing is dangerous. Mistakes in development are easy to make. Programmers and developers are writing thousands of lines of it! To get the peace of mind of a successful penetration test, regression testing ensures that you are fully secure.
In our experience, almost every regression test reveals at least one vulnerability that wasn’t patched effectively. As we said, it’s easy to make mistakes.
Finally, a regression test ensures that the patching hasn’t caused new vulnerabilities to emerge. Development can be a delicate balance, and sometimes fixing one problem causes a new one to emerge. Problems like these are why we suggest regression testing.
While it is an extra step in the chain of cybersecurity, we hope the attitude to regression testing changes. Our goal is a safer digital space, and regression testing will help us get there.